about the only thing you can't put in the config file is the password. let's face it, you really don't want to put the password in there -- if someone breaks into your account, they could gain access to all your remote accounts just by reading the file. not only that, but most people pick weak passwords. their first name. their first name followed by '123'. the name of some famous actor/actress/singer. stuff like that. no wonder their hotmail accounts are broken into all the time.

i'm guilty of this, too, by the way. since i'm the laziest person around, my root passwords on my home machines are usually one character long -- just a period. (then again, i have ssh set up to disallow remote logins by root, and my computers are all behind a one-way nat, so i'm safe.)

ssh gives you another mechanism for authenticating yourself to remote servers -- keys. keys are "stronger" than passwords because you can use a sentence as a key passphrase instead of a short 6-8 character password. it's pretty hard to guess a sentence, not so hard to guess a password.

% ssh-keygenGenerating public/private rsa key pair.Enter file in which to save the key (/home/me/.ssh/id_rsa): Enter passphrase (empty for no passphrase): i am the greatest!Enter same passphrase again: i am the greatest!Your identification has been saved in /home/me/.ssh/id_rsa.Your public key has been saved in /home/me/.ssh/id_rsa.pub.The key fingerprint is:8d:72:c3:62:87:31:d0:00:7e:29:c8:4b:f4:31:32:b1 me@ultralisk%

now we have two key files -- .ssh/id_rsa and .ssh/id_rsa.pub. to use these files to login to a remote system, we need to first put the public key file on the server, and place it into .ssh/authorized_keys (note: on some systems, you need to place them in ~/.ssh/authorized_keys2). we could just do

what does this exercise buy us? well, now when we type ssh slowpc, we don't type in the password, we type in the passphrase. it's a long passphrase, and people aren't likely to guess it or crack it. people can try to watch your fingers as you type it in, but it'll be a lot harder for them to figure out what you're typing in.

but, you say, they can still try and login using the password, if they somehow guess it. yep. there are two options here. since you won't use passwords to login any more, you won't need to set the password to something easy to remember. so, your first option is to set the password to something completely unguessable. something that looks more like perl code than a word in english (or urdu/farsi/arabic/whatever). this is probably the better option.

the second option is to disable password logins entirely. simply edit /etc/ssh/sshd_config and set PasswordAuthentication no, and restart sshd. be careful, though. if you lose .ssh/id_rsa (your half of the two keys), or if .ssh/authorized_keys is deleted on the server, you won't be able to login using ssh.

but, you say, you've just made us type a long sentence every time we want to ssh to the server! yes, it is pretty annoying, having to type in your password a dozen times a day. and, right you are, it's a lot worse to type in a sentence; you end up wasting precious seconds every time you want to login or scp a file! why, you could be reading the gupshup forum on linuxpakistan!

ssh has something to help us with this problem. ssh ships with a program called "ssh-agent" that keeps track of your passphrases. if you run a recent distribution of linux, you probably have "ssh-agent" running right now. to check, type

on ubuntu, you'll find a file in /etc/X11/Xsession.d to start it whenever you login. i'm sure other distributions have something similar.

ssh-agent works with a tool called ssh-add to manage ssh key passphrases. it works like this

- you (or the distribution) run ssh-agent when you login- you type "ssh-add .ssh/id_rsa < /dev/null" or just "ssh-add"- ssh-add asks you for your passphrase- if the passphrase is correct, it gives the passphrase to ssh-agent

now, whenever you try to login to a server that uses the id_rsa key, ssh will ask ssh-agent for the passphrase, and not you:

you could just hit enter there, and avoid using ssh-agent altogether. but, it creates a security problem. now, if someone breaks into your account, they can just ssh to some other system without typing in a password or passphrase! that's worse than using bad passwords. you don't want to do that.

however, there are situations where you do need a passwordless login to a system. most of the time, it's because you want a cron job on your system to automatically execute a script or program (usually for backups) on the remote system. since your cron job can't use ssh-agent, here's what you do.

you need to create a pair of keys using ssh-keygen (don't call it ~/.ssh/id_rsa, call it ~/.ssh/backups_rsa or something) with an empty passphrase, and copy the pub key to the remote server's authorized_keys file, as described above. before you copy the nopass_rsa.pub file over, edit the file and add the command you want to execute on the remote system.

AOA,
That's a very nice article. One thing I'd really like SSH to have it to be able to add port forwarding on the fly. A lot of time, you don't know the port to forward until after you login. In such a case, you have to logout and log back in with the correct commandline argument (or config options).

BTW, is there a SSH client GUI (preferrably KDE based) like putty is on Windows?

A.O.A
What a great effort. I really enjoyed that article, as it shows about the worth of person and also worth of this "Linux Pakistan " forum. I think Linux Gurus in this forum should post advance level Gup Shup. Hope every body will enjoy that Series.